【发布时间】:2021-03-18 04:53:24
【问题描述】:
我有一个带有 PostgreSQL 后端的简单 Django 项目,但我似乎无法摆脱终端上的 Django 安全漏洞警告标志。
Settings.py:
import os
...
ENVIRONMENT = os.environ.get('ENVIRONMENT', default = 'development')
...
SECRET_KEY = os.environ.get('SECRET_KEY')
DEBUG = int(os.environ.get('DEBUG', default=0))
ALLOWED_HOSTS = ['localhost', '127.0.0.1']
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
...
'HOST': 'db',
'PORT': 5432
}
}
if ENVIRONMENT == 'production':
SECURE_BROWSER_XSS_FILTER = True
X_FRAME_OPTIONS = 'DENY'
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 3600
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_REFERRER_POLICY = 'same-origin'
docker-compose.yml:
version: '3.8'
services:
web:
build: .
command: python /code/manage.py runserver 0.0.0.0:8000
environment:
- SECRET_KEY="SECRET_KEY"
- DEBUG=1
- ENVIRONMENT=development
volumes:
- .:/code
ports:
- 8000:8000
depends_on:
- db
db:
image: postgres:12.3
volumes:
- postgres_data:/var/lib/postgresql/data/
volumes:
postgres_data:
docker-compose-prod.yml:
version: '3.8'
services:
web:
build: .
command: python /code/manage.py runserver 0.0.0.0:8000
environment:
- SECRET_KEY="SECRET_KEY"
- DEBUG=0
- ENVIRONMENT=production
ports:
- 8000:8000
depends_on:
- db
db:
image: postgres:12.3
我在终端上运行的是什么:
sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml -f docker-compose.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy
运行“sudo docker-compose exec web python manage.py check --deploy”后,我收到以下警告:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W022) You have not set the SECURE_REFERRER_POLICY setting. Without this, your site will not send a Referrer-Policy header. You should consider enabling this header to protect user privacy.
我认为由于 settings.py 中的 if 语句,警告会消失。
我也尝试在终端上运行它:
sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy
但是,我最终得到了一个不同的错误:
django.db.utils.OperationalError: could not translate host name "db" to address: Name or service not known
我不确定我哪里出错了。关于如何让它发挥作用有什么想法吗?任何意见都非常感谢。
已编辑:我使用 Firefox 作为我的网络浏览器。
【问题讨论】:
-
您是否尝试过为生产和测试创建单独的 .env 文件?
-
关于你的数据库的第二个错误也很有趣......你可能想发布关于你的 compose 文件和生产设置的更多配置信息
标签: python-3.x django postgresql docker security